Server switching method and server system equipped therewith

ABSTRACT

There is disclosed a high speed switching method for a disk image delivery system fail-over. A management server sends a disk image of an active server in advance to a standby server. When receiving a report that the active server has failed, the management server judges whether or not it is possible for the standby server to perform the service of the failed active server based on service provision management server information held by the management server and if possible, instructs the standby server to perform the service of the active server. Even if the disk image delivered in advance is different from the disk image of the failed active server, switching of is the service to the standby server can be performed more quickly through resetting the setting values of unique information and installing the additional pieces of software on the standby server by the management server than redelivering an appropriate disk image.

CLAIM OF PRIORITY

The present application claims priority from Japanese applicationJP2007-302697 filed on Nov. 22, 2007, the contents of which are herebyincorporated by reference into this application.

BACKGROUND OF THE INVENTION

The present invention relates to high speed switching technologies for afail-over, especially to a high speed switching technology for a diskimage delivery system fail-over.

In a computer system attached to a SAN (Storage Attached Network), it ispossible to change computers accessible to a particular LU (LogicalUnit) with each other by changing the security settings for the LU in astorage subsystem attached to the SAN and for HBAs (Host Bus Adapters)integrated in the computers. Using this approach, a fail-over method,where a computer is changed to another one without changing LUs when theformer computer breaks down, has been realized. Another fail-over methodwhich achieves a similar effect by changing the WWNs (World Wide Names)of HBAs without changing the security settings has been realized. Bothfail-over methods need expensive storage devices while being capable ofproviding high speed fail-over functions.

Therefore, there is a high demand for more inexpensive fail-overmethods. Compared with the above mentioned fail-over methods, anothermethod, where the disk image of the failed computer is delivered to aspare computer, has been proposed as an inexpensive fail-over method(JP-A-2006-11781). Because this disk image delivery method does not needexpensive storage devices, it is possible to build an inexpensive systemwith high availability. However, there is a problem in that it takestime to complete the fail-over because the delivery starts after afailure occurs.

BRIEF SUMMARY OF THE INVENTION

In JP-A-2006-11781, the method to realize a high speed fail-over isdisclosed. However, it is realized by installing an OS (OperatingSystem) and applications quickly on a spare computer after a failureoccurs. Therefore, because the time of the installation is alwaysneeded, there is a limit to speeding up this fail-over method.

A primary object of the present invention is to provide a high speedswitching method for a fail-over and a system equipped with this method.

In the present invention, because the time of installation is eliminatedby delivering a disk image to a standby server in advance or even when adisk image delivered in advance is different from that of a failedserver, the time needed to reset the settings of unique information andto install additional pieces of software on the disk image is shorterthan the time to redeliver an appropriate-disk image, a high speedfail-over method and a system equipped with this method can be provided,

In other words, in the present invention, the disk image correspondingto one of the services provided by an active server is delivered inadvance to a standby server, is and when receiving the report that theactive server has failed, a management server that manages both theactive server and the standby server judges whether it is possible forthe standby server to perform the service of the failed active server ornot. If possible, the management server instructs the standby server toperform the service of the active server. If the management serverjudges the standby server to be incapable of performing the service ofthe failed active server, the management server sends a proper diskimage to the standby server in order for the standby server to performthe service of the active server.

In other words, in order to achieve the above mentioned object, presentinvention provides a server switching method for a server system thatincludes an active server, at least one standby server and a managementserver that are equipped with storage devices and process modulesrespectively and that are all connected through a network. In addition,the server switching method is configured in such a way that themanagement server delivers the disk image of an active server to astandby server in advance; holds service provision management serverinformation in the storage device of its own; and when receiving thereport that the active server has failed, judges whether it is possiblefor the standby server to perform the service of the failed activeserver or not based on the service provision management serverinformation held in the storage device; and if possible, instructs thestandby server to perform the service of the active server.

The above mentioned configuration of the present invention provides aserver switching method with a high speed fail-over function and asystem equipped with this method.

BRIEF DESCRIPTION IF THE DRAWINGS

FIG. 1A is a schematic block diagram showing a system of a firstembodiment of the present invention;

FIG. 1B is an explanatory diagram showing a disk image used in thesystem of the first embodiment;

FIG. 2 is a diagram showing the fail-over procedures used in the firstembodiment;

FIG. 3 is a block diagram showing a management server used in the firstembodiment;

FIG. 4 is a block diagram showing an active server used in the firstembodiment;

FIG. 5 is a block diagram showing a standby server used in the firstembodiment;

FIG. 6 is a diagram showing Management Table of Server HardwareInformation used in the first embodiment;

FIG. 7 is a diagram showing Table concerning Software is stored in DiskImage used in the first embodiment;

FIG. 8 is a diagram showing Information Table concerning Hardwareincluded by Disk Image used in the first embodiment;

FIG. 9 is a diagram showing Management Table of Service Provision Serverused in the first embodiment (before the occurrence of an accident);

FIG. 10 is a diagram showing Management Table of Service ProvisionServer used in the first embodiment (after the occurrence of an accidentand during switching);

FIG. 11 is a diagram showing Management Table of Service ProvisionServer used in the first embodiment (after the completion of switching);

FIG. 12 is a diagram showing Table concerning Services and Network usedin the first embodiment;

FIG. 13 is a diagram showing Table concerning Service Priority used inthe first embodiment;

FIG. 14 is a diagram showing Failure Notification Management Table usedin the first embodiment;

FIG. 15 is a diagram showing the process flow of Control Program Groupused in the first embodiment;

FIG. 16 is a diagram showing the process flow of Failure NotificationReceiving Program used in the first embodiment;

FIG. 17 is a diagram showing the process flow of Network SettingChanging Program used in the first embodiment;

FIG. 18A is a diagram showing the process flow of Delivery InstructionProgram used in the first embodiment;

FIG. 18B is a diagram showing the process flow of Delivery InstructionProgram used in the first embodiment;

FIG. 19 is a diagram showing the process flow of Delivery ExecutionProgram used in the first embodiment;

FIG. 20 is a diagram showing the process flow of Test Execution Programused in the first embodiment;

FIG. 21 is a schematic block diagram showing a system of the secondembodiment of the present invention;

FIG. 22 is a block diagram showing a management server used in thesecond embodiment;

FIG. 23 is a block diagram showing a managed server used in the secondembodiment;

FIG. 24 is a diagram showing Security Setting Table of Storage Subsystemused in the second embodiment;

FIG. 25 is a diagram showing the security setting of a storage used inthe second embodiment;

FIG. 26 is a block diagram showing a system including integrated disksand storages attached to a SAN used in the third embodiment;

FIG. 27 is a block diagram showing a system including only storagesattached to a SAN used in the third embodiment;

FIG. 28 is a diagram showing a virtual server shown in FIG. 26 used inthe third embodiment;

FIG. 29 is a diagram showing a virtual server shown in FIG. 27 used inthe third embodiment;

FIG. 30 is a diagram showing Difference Data Management Table used inthe third embodiment; and

FIG. 31 is a diagram showing License Management Table used in eachembodiment.

DETAILED DESCRIPTION OF THE INVENTION

The preferred embodiments of the present invention will be described indetail hereafter with reference to the attached drawings. In thisspecification,a server is a term used to refer to an ordinary computerwith communication function.

The First Embodiment of the Present Invention

FIG. 1A is a schematic block diagram showing a system of the firstembodiment of the present invention. A management server 101 isconnected to active servers 102 and standby servers 103 via a NW-SW 104.The active servers 102 provide service services and when one of theactive servers 102 breaks down, one of the standby servers 103 willprovide the service of the failed server instead of the failed activeserver. The management server 101 keeps an eye on the active servers 102and the standby servers 103. A primary object of this embodiment is toprovide a server system, wherein a failure notification issued by anyone of the active servers 102 is monitored and when one of the activeservers 102 breaks down, one of the standby servers 103 will provide theservice of the active server instead of the failed active server, withthe result that the continuity of business can be enhanced.

The active servers 102 have integrated storage devices 122 and thestandby servers 103 have integrated storage devices 132. OSs, middlewareand applications to provide services are installed on the storagedevices 122 and the storage devices 132 respectively. The managementserver 101 has an integrated storage device 112. Disk images 121, wheresoftware necessary to provide the service services is installed, arestored in the storage devices 112.

The contents of the disk images 121, which will be described later withreference to the attached drawings, are the disk images of theindividual active servers necessary to provide the service services, thedisk images with the unique information about the individual activeservers removed, or the disk images where only the pieces of softwareused commonly by the active servers are installed, and the like.

When a failure occurs at any of the active servers 102, a disk image 121that provides a similar service as the failed active server 102 does isdelivered to one of the standby servers 103, with the result that thecontinuity of the service can be achieved. As to the disk image 121delivered, if the disk image 121 that is the completely same disk imageof the failed server 102 is delivered, the continuity of the service canbe achieved only by the delivery. In this case, however, the same numberof the disk images 121 as the number of the active servers must beprepared, with the result that an enormous amount of storage is needed.

Compared with the above approach, if the disk images with the uniqueinformation about the individual active servers removed are used, thedisk images 121 with the same service services prepared can be commonlyused although the setting the unique information about the individualactive servers must be performed after delivery. Hence, the storagecapacity necessary to store the disk images 121 can be reduced. Inaddition, if the disk images 121 where only the pieces of software usedcommonly by the active servers are installed are used, the disk images121 can be shared throughout the server system. In this case, becausethe necessary pieces of software must be installed and the uniqueinformation for each OS and each piece of software is must be set afterdelivery, the speed of the fail-over decreases a little. However, thisapproach is much more advantageous in terms of workload and labor timethan conventional approaches where installation must be performed on aserver which has nothing installed.

Especially in this embodiment, because the time needed to complete afail-over can be reduced by delivering disk images in advance to thestandby servers 103, reinstallation should be avoided as much aspossible. By delivering the disk images 121, where only the pieces ofsoftware used commonly are installed, in advance on the standby servers,reinstallation can be avoided and a fail-over can be realized morespeedy. Control Program Group 110 includes a group of programs thatrealize the above mentioned high speed fail-over. Management Table Group111 stores information tables concerning the active servers 102 and thestandby servers 103, information tables concerning the disk images 121,and information tables concerning service services. These ControlProgram Group 110 and Management Table Group 111 will be described indetail later.

FIG. 1B is a diagram showing an example of a disk image schematically. Adisk image 140 in FIG. 1B includes P.P.s (Program Product) 142 that arepieces of application middleware, an OS 143, and hardware (architecture)information 144. In addition, the P.P.s 142 and the OS 143 includesetting values 145 and 146 respectively as unique information 141. Thisdisk image is typically a file that collects data stored in storagedevices attached to servers. Getting the disk image back to the originalserver makes it possible to restore the server to its original status atthe time when the disk image was obtained. In addition, bringing thedisk image to a server with the same hardware configuration makes itpossible to build a replica of the original server with the OS installedand the P.P.s set.

However, because the OS 143 and the P.P.s 142 shown in FIG. 1B holdinformation unique to each hardware (license, host name, IP address andthe like), there is a case where a disk image cannot be brought into asystem that provides service services only by building and deliveringthe replica of the disk image. To realize this object, proper settingfor each server must be performed. As mentioned above, disk images thatare used in various embodiments in various embodiments range from oneswith OSs and P.P.s installed to ones without OSs and P.P.s, and theyalso range from ones with setting values for hardware and software setto ones without setting values.

FIG. 2 is a diagram illustrating the overview of a high speed fail-overmethod in this embodiment. In addition, you should be careful thatnumbers in circles in FIG. 2 and others are represented as ones inparentheses in this specification. First, a disk image 121 is deliveredto a standby server 103 in advance in consideration of the priorities ofservice services, operation records and the like. However, the deliveryof a disk image in advance is not necessarily imperative. There will bethe case where it is impossible to deliver a disk image in advance forthe reason that the upper limit number of licenses is exceeded and thelike. The service A 202 is provided to an active server 102. (1) Themanagement server 101 receives a failure notification 221. (2) Themanagement server 101 judges whether redelivery or resetting isnecessary or not after identifying the disk image delivered to thestandby server 103. (3)-1 (in the case of Yes) If the disk imagedelivered to the standby server 103 is one for other service such as theservice B203, redelivery is necessary. Therefore the disk image for theservice A202 is delivered to the spare disk 103. (3)-2 (in the case ofNo) Because the disk image for the service A202 has been delivered tothe spare disk 103, the power to the standby server can be powered on.(4) Because the standby server 103 has the disk image for the serviceA202 after the previous step, the standby server is brought into theactive service LAN, and the service is kept running. As roughlydescribed above, if the disk image distributed in advance is the targetdisk image, a high speed fail-over can be provided. If the setting forthe standby server can be accomplished through resetting other thanredelivery, a high speed fail-over can be also provided. In thisembodiment, how to build a target server by resetting without usingredelivery will be described. In other words, the setting of tolerableranges within which target image disks can be obtained by resetting willbe described later. At the step (2), how to maintain the remainingservers will be determined, and if necessary, redelivery or resetting isperformed on them.

FIG. 3 is a diagram showing an example of the configuration of themanagement server 101 in this embodiment. The management server 101includes a CPU (Central Processing Unit) 301, a memory 302 that storesprograms and processes used in the CPU 301, a NIC (Network InterfaceCard) 304 that is used for the communication through an IP network, anda storage device 112 that stores programs and data. As mentioned above,the configuration of the server is similar to that of an ordinarycomputer.

Control Program Group 110 and Management Table Group 111 are stored inthe memory 302. Control Program Group 110 (See FIG. 15) includes FailureNotification Receiving Program 310 (See FIG. 16), Network SettingChanging Program 311 (See FIG. 17), Delivery Instruction Program 312(FIG. 18), Delivery Execution Program 313 (See FIG. 19), and TestExecution Program 314 (See FIG. 20).

Management Table Group 111 includes Management Table of Server HardwareInformation 321 (See FIG. 6), Table concerning Software stored in DiskImage 322 (See FIG. 7), Information Table concerning Hardware includedby Disk Image 323 (See FIG. 8), Management Table of Service ProvisionServer 324 (See FIG. 9, FIG. 10, and FIG. 11), Table concerning Servicesand Network 325 (See FIG. 12), Table concerning Service Priority 326(See FIG. 13), Security Setting Table of Storage Subsystem 327 (See FIG.24), Failure Notification Management Table 328 (FIG. 14), DifferenceData Management Table 329 (See FIG. 30), and License Management Table330 (See FIG. 31). The details about these tables will be describedlater with reference to the corresponding drawings respectively. Failurenotifications received by the management server 101 are performed by amonitoring mechanism that is built using hardware and software possessedby the active server 102, that is, the target server for monitoring andthe standby server 103.

FIG. 4 illustrates the configuration of the active server 102. Theactive server 102 includes a CPU 401 that carries out calculation, amemory 402 that stores programs and processes used by the CPU 401, a NIC403 that is used for the communication through the IP network, a BMC(Baseboard Management Controller) 404 that is used for the managementserver 101 to control power supply. The power to the active server 102can be turned on or off through the BMC 404. The active server 102 andthe management server 101 are connected via the NW-SW 104. A monitoringprogram (not shown) running on the active server 102 communicates withthe management server 101 through the NIC 403, and informs themanagement server 101 of failures. The settings, loads, failures, andthe like of the active server 102 can be monitored by the abovementioned monitoring program. There may be often the case where the NIC403 is used only for management, so it is common that another NIC isinstalled for the service services. In addition, the BMC 404 alsoconnects the active server 102 to the management server 101 through thenetwork. Therefore the management server 101 can be informed of hardwarefailures and it can also turn on or off the power to the active server102 forcibly through hardware means.

FIG. 5 illustrates the configuration of the standby server 103. Thestandby server 103 includes a CPU 501 that carries out calculation, amemory 502 that stores programs and processes used by the CPU 501, a NIC503 that is used for the communication through the IP network, and a BMC504 that is used for the management server 101 to control power supply.The power to the standby server 103 can be turned on or off through theBMC 504. The standby server 103 and the management server 101 areconnected via the NW-SW 104. A monitoring program (not shown) running inthe standby server 103 communicates with the management server 101through the NIC 503, and informs the management server 101 of failures.The settings, loads, failures and the like of the standby server 103 canbe monitored by the above mentioned monitoring program. There may beoften the case where the NIC 503 is used only for management, so it iscommon that another NIC is installed for the service services. BMC 504also connects the standby server 103 to the management server 101through the network. Therefore the management server 101 can be informedof hardware failures of the standby server 103 and it can also turn onor off the power to the standby server 103 forcibly through hardwaremeans. After delivering the disk image in advance to the standby server103, the standby server 103 can be run regularly or irregularly in orderto perform maintenance works such as running operation check programs orapplying patches to the standby server 103.

FIG. 6 illustrates Management Table of Server Hardware Information 321in detail, one table of Management Table Group 111 that is stored in thememory 302 of the management server 101. Information concerning hardwareand software integrated in or attached to each server is collected inthis table. The column 601 stores server identifiers with which serverscan be uniquely identified.

The column 602 stores CPU architectures, that is, the types of CPUs thatacts as process modules. Fundamentally it is difficult for the serverswith different CPU architectures (types) to share the disk image forbooting an OS. Therefore it is important to decide the appropriate CPUarchitecture using some means in order to avoid delivering aninappropriate CPU architecture (type of the process module) whendelivering a disk image.

The column 603 stores UUIDs (Universal Unique Identifiers). UUIDs aredesignated in such a way that they are fundamentally built in order notto be duplicated universally. Therefore if UUIDs are allocated toindividual servers, they can be identifiers to assure uniqueness toindividual servers. So they can be candidates for the server identifiersin the column 601 and they would be very useful for the management tocover a broad range of servers. However, a system administrator can useidentifiers that he want to use to identify servers, and as long as thetarget servers to be managed are not duplicated, it is not necessarilyimperative to use UUIDs as server identifiers. For example, hast names,IP addresses, MAC addresses (Media Access Control Addresses) and thelike can be also candidates.

The column 604 to 606 store information concerning HBAs (Host BusAdaptors). The column 604 stores the numbers of HBAs. Using thisinformation, the number of HBAs that a server holds can be obtained sothat the number of HBA device drivers to be incorporated can be examinedwhether it is adequate or not with reference to the hardware included inthe disk image that will be described in detail in FIG. 8.

The column 605 stores the WWNs of HBAs. The WWNs are identifiers toidentify servers in the security setting of a storage subsystem shown inFIG. 24 in a SAN environment in the second embodiment. Therefore thereis a case where the WWNs play a role as server identifiers in the systemwhere the SAN environment is indispensable.

The column 606 stores the types of the HBA device drivers. If thelocations where the device drivers are to be installed are written inthe column 606, even when the device driver with different type isincorporated, the location where a necessary device driver is to beincorporated is explicitly provided, with the result that automaticincorporation of device drivers can be realized. The column groupconcerning HBAs plays an important role in SAN environments, which willbe described in detail in the explanation of the second embodiment ofthe present invention.

The column 607 to 609 store information concerning NICs. The column 607stores the number of NICs. In a similar way to the column 604, usingthis information, the adequate number of NIC device drivers to beincorporated can be examined. In addition, whether the number of theNICs is adequate or not can be examined when IP information (IPaddresses, subnet masks, default gateways, and the like) needed toperform the service services are allocated to the NICs. If the number ofthe NICs is inadequate, multiple pieces of IP information would beallocated to one NIC. If this causes a problem in terms of the operationor performance, this allocation should be averted by some means with theuse of the above information.

The column 608 stores MAC addresses of the NICs. Because the MACaddresses are unique addresses, they may play a role as the serveridentifiers.

The column 609 stores the types of the NIC device drivers. If thelocations where the device drivers are to be installed are written inthe column 609, even when the device driver with different type isincorporated, the location where a necessary device driver is to beincorporated is explicitly provided, with the result that automaticincorporation of device drivers can be realized.

The column 610 to 612 store information concerning storages. It is veryimportant that when the disk image is delivered, each storageenvironment is compatible with the other.

The column 610 stores the names of the connection I/Fs (interfaces)between the servers and the storage devices. If the connection interfacebetween a server and a storage device are not compliant with each other,the replacement of the storage device driver is indispensable. Thereforewhen a disk image is delivered, whether the necessary works to make thedelivered disk image work properly has been performed or not can beexamined using above information.

The column 611 stores the values of the storage capacities of storagedevices. If the volume of the disk image to be delivered is larger thanthe value of the corresponding capacity written in the column 611, thedisk image cannot be stored perfectly, with the result that the servercannot operate properly. In contrast with this, if the volume of thedisk image is smaller, there is no problem on this matter as to theoperation of the server. Therefore there may be the operation with thismatter neglected depending on some management policies,

The column 612 stores the type names of storage devices, that is, thetype name of storage devices to boot OS or the type name to store data.The storage devices to store data are often deployed as external onesattached to a SAN environment. In this case, it may be necessary to takeover the services performed by the data disks attached to the SANenvironment. The storage devices attached to the SAN environment will bedescribed in detail in the explanation of the second embodiment of thepresent invention.

As mentioned above, this table is also applicable to a SANconfiguration. If the values of memory capacities are added to thistable (not shown in FIG. 6), this table can be used for searching for aserver that has performance to perform a certain service. Therefore itis possible to select a server that has performance suited to a certainapplication when a fail-over is needed. Information of this table can beautomatically collected from servers. However, there is also the casewhere information of this table is input by an administrator. However,as to the column 612, although the operation, where each initial inputis set to “boot” and then no changes are made, can be thought of, eachinitial input is generally input manually by an administrator. Inaddition, as to the column 601, inputs to this column can be omitted bydesignating one of other columns in this table or some combination ofmultiple columns in this table. The elements of this column can benumbered in ascending order.

FIG. 7 shows one configuration example of Table concerning Softwarestored in Disk Image 322 that is one table of Management Table Group 111in the management server 101. This table includes information concerningsoftware stored (installed) on disk images, unique setting information,and information concerning P.P.s that are permitted to be additionallyinstalled on an existing installed system and their versions arecollected in this table.

The column 701 stores service identifiers. There are some descriptionmethods for the column 701 such as one where the first server forservice A, the second server for service A and so on are described tothe extent of specifying individual server levels (751 to 754); onewhere installation of software common to service A or service B isdescribed to the extent of specifying individual service levels (755,756); and one where installation of software common to system 1 orsystem 2 is described to the extent of specifying common environmentallevels (757,758).

The column 702 stores disk image names. The disk image names are theidentifiers for specifying individual disks. Here the contents of a diskimage will be described. In a similar way to the column 701, it isdesirable to change the contents and the types to be stored depending onindividual objects. For example three types of disk images will bedescribed below. Three types of disk images includes following (1), (2)or (3).

-   (1) OS+middleware and applications+unique information;-   (2) OS+middleware and applications (unique information is omitted);    and-   (3) OS (middleware and applications are not installed and unique    information is omitted). The advantage of (1) is that only the    delivery of the disk image can make the service start.

In addition, if the disk image delivered to the standby server iscompletely the same as that of the failed active server, only bootingthe standby server can complete the fail-over, with the result that avery high speed fail-over can be realized. The advantage of (2) is thatafter the delivery of the disk image, only setting unique informationcan make the service start. When compared with (1), (2) takes a littlemore time than (1) because the time to set unique information is needed.However (2) may be advantageous in terms of software licenses. Whenconsidering today's software license system, there is a considerablepossibility that an additional license is required in the case of themethod (1), while the least possibility in the case of the method (2).This is because the disk image in the case of the method (2) may beconsidered as a backup disk image. The advantage of (3) is that althoughthis method requires the installation of necessary P.P.s and the of theunique information after delivery, which takes a longer time than (1) or(2), this method can provide a fail-over much faster than conventionalapproaches where installation must be performed on a server which hasnothing installed. In addition, (3) is the most advantageous in terms ofsoftware licenses mentioned above. In the method (3), additionallicenses are not required because P.P.s are not installed on the standbyserver. Spare licenses can be used by the active servers, which resultsin the increased number of licenses per active server. Therefore asystem with high availability can be built at cheaper cost. For example,license management is performed using License Management Table 330 (SeeFIG. 31). In view of disk image management, because the method (3) hasthe largest common portion, it can do with the least number of diskimages. On the other hand, because the method (2) has a larger fixedportion than the method (3), it needs a larger number of disk images. Inthe case of the method (1), because each server has its specific diskimage, the total number of disk images for the method (1) is larger thanthat for the method (2).

The column 703 stores the types of OSs. Adding information concerningSPs (service packs) and patches will make it easier to judge whetherP.P.s to be additionally installed are compliant with the prerequisitesor not. In addition, this is advantageous in that the server maintenancebecomes easier in view of security. Although specific OSs are listed inthis table, other OSs can be listed likewise, with the result that theeffectiveness of this embodiment is increased.

The column 704 stores the names of CPU architectures corresponding tothe OSs. If the disk image that has an incompatible CPU architecture isdelivered, the server cannot provide its service. Therefore by usinginformation listed in this column, it is avoidable to deliver a diskimage with an incompatible CPU architecture to a server. CPUarchitectures other than the specific CPU architectures listed in thistable can be listed likewise, with the result that the effectiveness ofthis embodiment is increased.

The column 705 stores host names. Generally speaking, an administratorgives the servers their host names because some applications mayidentify servers with their host names. However, automatic naming can beperformed according to the naming rule designated by the administrator.The column 706 stores OS passwords.

The column 707 stores IP information. IP information includes IPaddresses, subnet masks, default gateways and the like. As to the IPaddresses, a range of IP addresses can be listed instead of a specificaddress being listed. Therefore, one of the idle addresses within therange can be used, so that the resources of IP addresses can beeffectively utilized. However, some administrators or applications useIP addresses as the identifiers to identify servers. Therefore there arecases where each server is given a unique IP address explicitly by theadministrator.

The column 708 stores P.P. names. The names of pieces of middleware andthe names of applications necessary to provide services, and informationabout their versions are listed in this column. By referring to thiscolumn, information about P.P.s necessary to perform individual servicescan be obtained.

The column 709 stores unique information concerning P.P.s. Thisinformation includes IP address (logical IP address) and port numbersused by individual P.P.s. If the port numbers are duplicated, somepieces of software do not run or others do not operate properly even ifthey run. By listing the port numbers used by P.P.s in this column inorder not to duplicate the port numbers, the above troubles can beavoided. If the costs needed to install additional P.P.s is provided inthis column, this provides information for making a decision as towhether to install additional P.P.s and set the unique information or todeliver the corresponding disk image again. In addition, if theinstallation locations of P.P.s and environmental variables are listedin this column, it will be ensured that necessary settings are performedand P.P.s are installed on the right locations expected by other P.P.susing information in this column.

The column 710 stores coexistence conditions with other P.P.s. P.P.s andtheir versions that can coexist with each other in the same servers andthe limitations concerning some operation environments such as JRE (JavaRuntime Environment) are listed in this column. This providesinformation for making a decision as to whether to install additionalP.P.s and set the unique information without redelivery or to deliverthe corresponding disk image again in order to perform a fail-over.

The column 711 stores delivery costs. A primary object of thisembodiment is to provide a high speed fail-over. Therefore, it is veryimportant how to prepare the destination of the fail-over. In this case,it is necessary to select more inexpensive method after identifying thetime of redelivery per disk image (per service) and at the same timetaking into consideration the times needed to install additional P.P.s(listed in the column 709).

Because this table includes software information installed on diskimages, it is avoidable to deliver a disk image to a server with anincompatible hardware configuration such as a CPU architecture usinginformation listed in this table. In addition, it is also possible tomake up the difference between the disk image already delivered and thedisk image suited to the service to be performed by taking advantage ofthis table.

Data to be input to the column 703, the column 704, the column 705, andthe column 707 in this table can be collected from the server from whichdisk images are obtained with the use of agent programs or informationgathering commands of OSs. An administrator can also input data to thosecolumns. As to other columns, data is input by an administrator or datais input at the same time as disk images are obtained or P.P.s areinstalled. As to the column 710, data is often input by anadministrator, but data to be input can be also listed based on the datawhich is collected per P.P. from servers on the Internet or on theintranets.

FIG. 8 illustrates Information Table concerning Hardware included byDisk Image 323 in FIG. 3 in detail. This is the hardware configurationof the server from which the disk image was obtained. In other words, itis the hardware configuration necessary for the disk image to be able tooperate properly. To be concrete, by comparing FIG. 8 with FIG. 6, it ispossible to judge whether the hardware configuration to which the diskimage is applicable is compatible with the hardware configuration of thedestination server or not. In addition, in a similar way, it is alsopossible to judge whether the difference between them is within thetolerable range or not.

The column 801 stores disk image names. The column 802 stores CPUarchitecture names.

The column 803 stores UUIDs. There are only a few cases where OSs orsome pieces of software do not run properly after the delivery of diskimages because of incompatibility of UUIDs. However, there are somecases where platforms to be used are specified by hardware identifiers.In such cases, it is necessary to make the UUIDs coincide virtuallyusing server virtualization technology.

The column 804 to 809 store hardware information concerning I/O devicessuch as HBAs and NICs just like the column 604 to 609 in FIG. 6.

The column 810 and 811 store hardware information concerning storagedevices just like the column 610 and 611 in FIG. 6. In particular,attention should be paid to the values of the storage capacities listedin the column 811. If one of the values of the column 811 in FIG. 8 issmaller (the storage capacity is smaller than the volume of thecorresponding disk image), the disk image can not be stored perfectly,with the result that the fail-over cannot be completed properly. Data tobe input to this table can be collected with the use of agent programsor information gathering commands of OSs and also it can beautomatically collected.

The FIG. 9 illustrates Management Table of Service Provision Server 324in FIG. 3 in detail. It shows the contents of Management Table ofService Provision Server 324 under the condition that all active serversare normal. This table stores server types (active/spare), providedservices, delivered disk images, delivery statuses, failure statuses,service statuses, the conditions for standby servers should satisfy whenfail-over measures are performed, presence or absence of data disks, andtheir identifiers. Because the statuses of the servers can be graspedusing this table, it becomes possible to take measures when failuresoccur.

The column 901 stores server identifiers. The column 902 stores servertypes (active/spare).

The column 903 stores service identifiers. If a section of the column isfor an active server, the name of the service provided by the activeserver is listed in the section. If it is for a standby server, theidentifier of the service delivered in advance is listed in the section.When a failure occurred, the necessary service can be confirmed byreferring the column 903 of the failed active server, and whether thedisk image corresponding to the necessary service has been delivered toa standby server can be judged by referring the column 903 of thestandby server.

The column 904 stores disk images. The column 905 stores deliverystatuses. The delivery statuses store information about whether diskimages have been delivered or not, and about whether unique informationhas been delivered or not.

The column 906 stores failure statuses. This stores failure informationabout active servers. This is not listed in this example table, but byobserving standby servers in standby state and listing the failurestatus of a standby server in this column if the standby server fails,it becomes possible to take measures to the standby server failure. Forexample, the standby server failures can be checked by running checkprograms on the standby servers regularly or irregularly, and when astandby server fails, the delivery configuration of the disk image ofthe standby server can be reconfigured in consideration of the priorityand the operational status and the like of the standby server, with theresult that the availability can be increased.

The column 907 stores service statuses. As to active servers,information about active servers' statuses whether they are providingservice services or not (down) is listed, and as to standby servers,information about standby servers' standby states whether they are inhot-standby state, cold-standby state or fail-over state is listed. Whena standby server is in hot-standby state, it is desirable to turn offthe power to the standby server in order to reconfigure theconfiguration of the standby server. If it is on cold standby state, theimmediate redelivery can be performed. It is necessary to turn on thepower to the standby server before the resetting is performed.Information this column shows about standby servers makes it possible toreconfigure the delivery configuration of the disk images of standbyservers.

The column 908 stores coincidence ranges within which some pieces ofunique information should coincide when fail-over measures areperformed. For example, the row 951 and 952 designate the coincidenceranges with in which P.P.s, OSs, and architectures and the like shouldcoincide. Even if the disk image delivered in advance to a standbyserver has different unique information from desired one, resettingnecessary pieces of unique information may allow the fail-over to beperformed with lower cost than redelivery of the suited disk image tothe standby server. When a disk image name is designated as shown in therow 953, if the disk image has not been delivered in advance to theserver, it is necessary to redeliver a suited disk image to the serverThis table should be completed by an administrator inputting desireddata on the basis of his operation policy.

The flexibility of the coincidence range (the column 908) will bedescribed in detail.

-   -   The flexibility of the coincidence range for disk images: the        settings of unique information for a disk image can not be        allowed to change, so that there is no flexibility. The        availability can be increased by using disk images and settings        that ensure secure operations.    -   The flexibility the coincidence range for P.P.s: Even if two        disk mages are different from each other, the difference can be        made up by changing the settings for unique information, so that        there is a lot of flexibility. A server for a fail-over can be        prepared only by changing the settings, so that changing the        settings for unique information for P.P.s meets the needs        required by fail-over measures.    -   The flexibility of the coincidence range for OSs: Even if two        disk mages are different from each other and different P.P.s        have been installed, One disk image can be used instead of the        other by additionally installing and setting necessary P.P.s as        long as they are allowed to be installed by the coexistence        conditions with other P.P.s of Table concerning Software stored        in Disk Image (See the column 710 in FIG. 7), so that there is        much more flexibility. There may be possibility that the        redelivery can prepare the fail-over destination more quickly        than the resetting when evaluating costs stored in P.P. unique        setting, so that it becomes very important to evaluate        preparation costs (See FIG. 7).    -   The flexibility of the coincidence range for architectures: To        provide a service, it is necessary to specify architecture along        with P.P.s. Therefore, designating the tolerant range for only        architecture itself is meaningless. However, there are some        services that can be provided if only specific P.P.s are        installed even if the architecture and an OS are different. In        other words, by designating only a P.P. without designating        architecture and an OS, a wide range of the fail-over        destination candidates can be designated, with result that the        resources can be effectively utilized.

FIG. 10 describes Management Table of Service Provision Server 324 inFIG. 3 in detail. Especially it shows that an active server is brokendown and a service is switched. The constitution of the table is thesame as that in FIG. 9. Therefore, as to each column, please refer toFIG. 9. To be concrete, the column 9* in FIG. 9 is corresponding to thecolumn 10* in FIG. 10. The case where the server 3 listed in the row1053 is broken down will be described. It will be assumed that theserver 3 is broken down and a fail-over is taken using the server 4 thatis a standby server. The area surrounded by a bold line is a target areawhere input items will be changed.

The input item Failure Status in the section that the column 1006 andthe row 1053 have in common has been changed to “In Failure”. The inputitem Failure Status in the section that the column 1006 and the row 1054have in common has been changed to “B-1 being switched”, which showsthat the service B-1 is in failure.

The input item Delivery Status in the section that the column 1005 andthe row 1054 have in common has been changed to “In Delivery”. This isbecause although the condition shown by the column 1008 is “Disk Image”coincidence at the failed service, the disk image already delivered isfor a different service as shown by the column 903 in FIG. 9, so thatthe redelivery is required.

The input item Service Status in the common section of the column 1007and the row 1053 has been changed to “Down”. This shows that the serviceis not provided. In addition, the input item in the common section ofthe column 1007 and the row 1054 has been changed to “In Fail-over”.This shows that preparation for switching of the servers is being done.

FIG. 11 illustrates Management Table of Service Provision Server 324 inFIG. 3 in detail. Especially it shows the status where the switching ofthe servers has been completed. The constitution of the table is thesame as that in FIG. 9. Therefore, as to each column, please refer toFIG. 9. As mentioned above, to be concrete, the column 9* in FIG. 9 iscorresponding to the column 10* in FIG. 10.

The input item in the common section of the column 1103 and the row 1154shows that the server 4 has taken over the service that the failedactive server provided. The input item in the common section of thecolumn 1105 and the row 1153 is null. To recover the input item, theserver 3 must be replaced and the reinstallation (redelivery) is needed.The input item in the common section of the column 1105 and the row 1154shows that the delivery and settings of unique information have beencompleted. The input item to store Service Status in the common sectionof the column 1107 and the row 1154 stores “Serviced”, which shows thatthe service is being provided.

More detail about FIG. 9, FIG. 10, and FIG. 10 described above will bealso given in the explanation of the flowcharts in FIG. 15 andsubsequent figures.

FIG. 12 illustrates Table concerning Services and Network 325 in FIG. 3in detail. This table is used to manage the settings for networks towhich servers providing services belong.

The column 1201 stores Service IDs (identifiers). The column 1202 storesVLAN IDs (identifiers). The column 1203 stores MAC addresses of theservers providing services. The column 1204 stores communicationprotocol names that the services use.

The column 1205 stores Bridge IDs (identifiers) that are uniquely givento individual NW-SWs. The column 1206 stores Port IDs (identifiers) thatare uniquely given to individual ports in the NW-SWs. The column 1207stores IP information.

The settings for the servers providing services, the NW-SWs and networksare managed with the use of the row 1251 to 1253 of this table. Thesettings for the services, the NW-SWs and networks are managed with theuse of the row 1255 and 1256. When some port or some IP address has beenalready used, designating the ranges of port identifiers or the rangesof IP information in the column 1206 and column 1207 where IPinformation is stored instead of designating the port or the IP addressmakes it possible to use other vacant port or IP address. This not onlymakes it possible to change setting values flexibly, but also can avoidthe risk that duplication of the setting information prevents theservice from being continuously provided when the designated disk image(in which unique information is already set) is delivered.

The column 1257 includes the settings concerning the network group towhich standby servers that are not engaged in services belong. Becauseit is not allowed to deliver disk images and change settings throughservice networks, it is necessary to assure such a network group towhich reserved standby servers belong.

FIG. 13 illustrates Table concerning Service Priority 326 in FIG. 3 indetail. Setting priorities to services makes it easy to determine thedisk images delivered in advance to standby servers. When a service witha higher priority occurs after a service with a low priority, there maybe a case where it is desirable to deal with the service with a higherpriority preferentially with fail-over measures to the service with alower priority interrupted. This table makes it possible to materializesuch an operation policy.

The column 1301 stores service IDs (identifiers). The column 1302 storesthe initial values of priorities. Therefore, even if the priorities havebeen dynamically changed, an administrator can recover the initialvalues of priorities whenever he likes.

The column 1303 stores current values of priorities. This column is usedto meet the need to raise the priorities of other servers because theprobability of the failure reoccurrence of a standby server that tookover the service of a failed server is considered low. In this way,delivering disk images of servers with higher probability of the failureoccurrence to standby servers makes it possible to realize a high speedfail-over with a higher probability.

FIG. 14 illustrates Failure Notification Management Table 328 in FIG. 3in detail. Taking advantage of this table makes it possible to give suchflexibility to the operation method as changing measures per eachfailure notification or combining failure notifications with servicepriorities.

The column 1401 stores notification IDs (identifiers) The column 1402stores failure information, thresholds for failures, and the valueranges for failures. The column 1403 stores priorities, and thethresholds for taking fail-over measures (the number of failurenotifications).

Using information included in this column makes it possible to increasesuch flexibility of responses as taking immediate fail-over measures tosome failure notifications and putting off taking fail-over measures toother failure notifications until the failures frequently occur. Inaddition, adding performance failures to this column makes it possibleto obtain a higher performance server and replace the failed server withthis server when a failure has occurred. For example, in such anenvironment as a data center where servers with various performances aremaintained and provided, it can be expected that the operation andservices are performed by upgrading standby servers and replacing afailed server with a higher performance server when a failure hasoccurred. In this case, although the agreement with the data center maybe needed in advance, a user will be able to reduce the cost of thesystem because a server with necessary performance can be obtained ondemand.

FIG. 15 shows the process flow of Control Program Group 110 ofmanagement server 302 that is used to realize a disk image deliverysystem fail-over in this embodiment.

At Step 1501, Failure Notification Receiving Program 310 receives afailure notification and judges whether to separate the server thatcaused the failure notification. If the server is separated, the flowproceeds to Step 1502. At Step 1502, Network Setting Changing Program311 is run and the failed active server 102 is separated from theservice network.

At the Step 1503, Delivery Instruction Program 312 is run, and after thenecessity of redelivery or resetting being judged, Delivery ExecutionProgram 313 is run if necessary and the delivery or resetting isperformed.

At Step 1504, Test Execution Program 314 is run, and after the check ofthe settings and the operation, whether the redelivery or resetting wascorrectly performed or not is judged. If the redelivery or resetting wascorrectly performed, the flow proceeds to the next step. If theredelivery or resetting was not correctly performed, the flow goes backto Step 1503, the redelivery or resetting is performed. In the casewhere the administrator judges it unnecessary or the disk image that hadbeen tested beforehand was delivered, this step can be omitted.

At Step 1505, Network Setting Changing Program 311 is run, and thestandby server is brought into the service network. Then the programupdates Management Table Group 111.

FIG. 16 shows the process flow of Failure Notification Receiving Program310 in FIG. 3. Failure Notification Receiving Program has a mechanism tojudge whether to take fail-over measures.

At Step 1601, Failure Notification Receiving Program receives a failurenotification. This notification includes the value to represent theidentification of a failed server 102. It also includes the contents ofthe failure and the failure state. It is desirable for this notificationto be sent at a time, but it may be sent at several times, being dividedinto several segments in consideration of the network loads. If thefailed server is a standby server 103 and it is difficult for thestandby server to remain to be in standby mode, the failure occurrenceis listed in Management Table of Service Provision Server 324 (See FIG.9 to FIG. 11) and the standby server cannot be selected as a fail-overdestination.

At Step 1602, Failure Notification Receiving Program refers to FailureNotification Management Table 328.

At Step 1603, Failure Notification Receiving Program judges whether totake fail-over measures to the failed active server or not. If thefail-over measures are not taken, the flow proceeds to Step 1604. If thefail-over measures are taken, the flow proceeds to Step 1605.

At Step 1604, Failure Notification Receiving Program updates FailureNotification Management Table 328 and the flow goes back to the firststep where Failure Notification Receiving Program waits for a failurenotification.

At step 1605, Failure Notification Receiving Program updates thecorresponding failure status in Management Table of Service ProvisionServer 324 and ends the process.

FIG. 17 shows the process flow of Network Setting Changing Program 311in FIG. 3.

At Step 1701, Network Setting Changing Program decides whether toseparate the active server 102 from the service network configuration orbring the standby server 103 into the service network configuration. Ifthe active server is separated, the flow proceeds to Step 1702. If thestandby server is brought into the service network configuration, theflow proceeds to Step 1703. At Step 1702, the failed active server isseparated from the service network configuration. In this case, theseparated active server is brought into a spare network group (See thecolumn 1257 in FIG. 12).

At Step 1703, the standby server 103 is brought into the service networkconfiguration. In this case, the standby server is separated from thespare network group and brought into the network group to which thefailed server 102 belonged (See FIG. 12).

FIG. 18A shows the process flow of Delivery Instruction Program 312 inFIG. 3. The name of the failed active server is reported as inputinformation.

At Step 1801, Delivery Instruction Program refers to Management Table ofService Provision Servers 324 (See FIG. 9). First, the program refers tothe column 907 and check whether there is a standby server in standbystate or not. If there is none, the program reports that there is nostandby server in standby state, and ends the whole process. If there isa standby server 103 in standby state, the program refers to the column903 (Service) and check whether there is a standby server with the samedisk image delivered as that of the failed active server 102; whetherthere is a standby server with a disk image for the same servicedelivered as the failed active server; or whether there is a standbyserver with a disk image formed on the common basis delivered as thefailed active server.

If the same disk image is delivered to the standby server, the flowproceeds from Step 1805 to Step 1807. If a disk image for the sameservice or one formed on the common basis is delivered to the standbyserver, the flow proceeds to Step 1803. Then the program collectsinformation concerning necessary settings of unique information andnecessary P.P.s, and the flow proceeds from Step 1805 to Step 1806. Andnow, the details about the judgment at Step 1805 will be described laterwith reference to FIG. 18B.

In the case other than above mentioned two cases, redelivery oradditional installation of P.P.s and the settings of unique informationare needed. The program refers to the coincidence conditions in thecolumn 908. In addition, as to standby servers, the program refers toServer ID (the column 901). According to the selected coincidencecondition, necessary information is collected at the next step.

At Step 1802, the program refers to Information Table concerningHardware included by Disk Image 323 (See FIG. 8). The program refers toInformation Table concerning Hardware included by Disk Image of thefailed active server 102, such as CPU architectures (the column 802),the numbers of HBAs (the column 804), and storage capacities (the column808), and then refers to hardware information about standby servers. Ifit is all right that a standby server can provide the specified serviceregardless of the CPU architecture mounted on the standby server, theCPU architectures (the column 802) of the failed active server and thestandby server need not to be the same. If the operation policy is touse the same disk images or to use the same CPU architectures as aresult of attaching a high value to the operation performance, theprogram reports that there is no standby server with the desired CPUarchitecture and then the program ends the whole process. As to thenumbers of HBAs (the column 804), the number of the NICs (the column808) and the storage capacities (the column 611), there is no problem ifthe number of HBAs, the number of NICs and the storage capacity of thestandby server 103 are larger than those of the active server 102.Although the step where the above mentioned judgment is made is Step1805, it is necessary for the program to refer to the hardwareinformation of the standby server 103 as the needed information withreference to Management Table of Server Hardware Information 321 (SeeFIG. 6) at Step 1803.

If it is all right that the service levels of both servers are the samealthough the CPU architectures of both servers are not the same, theprogram designates the suited coincidence range (the column 908) inManagement Table of Service Provision Server 324 (See FIG. 9). In thiscase, after referring to the host names (the column 705), the IPinformation (the column 707), the P.P. unique settings (the column 709)that are listed in Table concerning Software stored in Disk Image 322(See FIG. 7), the program resets the suited settings to the standbyserver 103. This resetting is performed at Step 1806.

At Step 1804, the program refers to Table concerning Software stored inDisk Image 322 (See FIG. 7), and refers the software information thatthe failed active server 102 holds. If the disk image delivered to thestandby server 103 coincides with that of the failed active server interms of the service level, the program refers to the host name (thecolumn), the OS password (the column 706), the IP information (thecolumn 707), and the P.P. unique information (the column 709), andperforms the resetting at Step 1802. If the disk image coincides withthat of the failed active server in terms of common basis level, it isnecessary to set the P.P. unique information (the column 709) afterperforming the above mentioned resetting and installing necessary P.P.s.When the setup of the standby server 103 is completed so that it cantake over the service of the failed active server 102, the flow proceedsto Step 1807.

At Step 1807, the program turns on the power supply to the standbyserver, and the flow proceeds to Step 1808. At Step 1808, the programrefers to Table concerning Service Priority 326 (See FIG. 13).

At Step 1809, the program judges whether the status where the serviceswith high priorities have been delivered to standby servers ismaintained or not. If the answer is yes, the flow proceeds to Step 1813,and if the answer is no, the flow proceeds to Step 1810.

At Step 1810, Delivery Execution Program 313 is run, and the standbyserver 103 is reconfigured by performing the necessary redelivery orresetting.

At Step 1811, the power supply to the reconfigured standby server 103 isturned on. At Step 1812, Test Execution Program 314 is run, and whetherthe delivery or setting is correctly performed or not is judged bychecking the contents of the setting and the operation. If they havebeen correctly performed, the flow proceeds to Step 1813. If they havenot been correctly performed, the flow goes back to Step 1810, and theredelivery or resetting is performed depending on their erroneousstates.

At Step 1813, Table concerning Service Priority 326 is updated, and theprocess ends.

The selection methods of disk images to be delivered in advance will bedescribed in detail below. These are as follows:

-   -   Disk images of services with higher priorities are delivered in        advance according to the priorities set for services by an        administrator.    -   Disk images of services that have high possibilities of failure        are delivered in advance in consideration of the operation        records.    -   Disk images of services that are working in servers that have        hardware features (such as architectures, parts, and venders)        with high possibilities of failure are delivered in advance in        consideration of the operation records.    -   If the appropriate disk images run short of only the number of        licenses for software, other disk images are delivered. The        priorities for the disk images that run short of the number of        licenses for software are lowered.    -   If the appropriate disk images run short of only the number of        licenses for software, the common disk images are delivered.        Disk images constituted by the pieces of software other than the        pieces of software that run short of the number of licenses are        delivered.    -   Disk images for services that are overused in consideration of        the past load changes and failure histories are delivered in        advance.    -   Disk images of services working in the same hardware as that of        the failed server are delivered in advance.    -   Because it is thinkable that a standby server performing a        fail-over against a failure has lower possibility of failure        than other active servers, the priority of the server that has        the same disk image as the standby server performing the        fail-over is lowered.    -   Disk images of servers or services for which predictors such as        notifications of memory errors or hard disk errors are detected        are delivered in advance although these errors do not directly        lead to failures.    -   Disk images of services working in servers that consume much        electric power, exceed the threshold or are expected to exceed        the threshold are delivered in advance to standby servers with        less electric power consumption prepared beforehand.

The frequencies-of updating disk images delivered in advance are asfollows:

-   -   Periodic updating    -   More frequent updating during busy seasons

The chances when disk images are updated are as follows:

-   -   When a standby server is used to take fail-over measures.    -   When the failures of hardware or bugs of software are detected        in standby servers on the operation tests and the like.    -   When the notification of exceeding the threshold values of        operation times and the like is issued.    -   When the notification of exceeding the threshold values of load        changes is issued.    -   When systems are updated.

Next, the judgment process (of Judgment Module) where whether there is astandby server to immediately take over the service of the failed activeserver or not is judged at Step 1805 will be described in detail withreference to FIG. 18B.

First, At Step 1821, whether the name of the disk image delivered to thefailed active server 102 and that delivered to the standby server 103coincide is judged. If they coincide, the flow proceeds to Step 1836,where ‘Change is unnecessary” is set and the process ends. If two namesdo not coincide, the flow proceeds to Step 1822.

At Step 1822, whether the P.P.s delivered to and stored in the standbyserver 103 and the P.P.s used by the service provided by the failedactive server 102 coincide or not is judged. If they coincide, the flowproceeds to Step 1827. If they do not coincide, the flow proceeds toStep 1833.

At Step 1827, whether the hardware and OS of the standby server arewithin their tolerable setting ranges respectively is judged. If theyare within the tolerable ranges respectively, the flow proceeds to Step1828. If they are not within the tolerable ranges, the flow proceeds toStep 1837.

At Step 1837, whether the hardware of the standby server is within itstolerable setting range or not is judged. If it is within the tolerablerange, the flow proceeds to Step 1824. If it is not within the tolerablerange, the flow proceeds to Step 1826 and “Stop Process” is set. Thesetting of “Stop Process” indicates that it is impossible to takefail-over measures. In other words, no standby server 103 that satisfiesthe requirements can be prepared. In this case, if the management server101 informs users of the impossibility of taking fail-over measures aswell as its reason using such facilities as a GUI display, an e-mailservice, or a pager, users can prepare the necessary hardware andsoftware including licenses. Therefore the recovery work can be quicklyperformed.

At Step 1833, whether P.P.s delivered to the standby server 103 arewithin their tolerable setting ranges or not is judged. If they arewithin their tolerable ranges respectively, the flow proceeds to Step1834. If they are not within their tolerable ranges respectively, theflow proceeds to Step 1823.

At Step 1834, whether the setting values for the P.P.s and OS deliveredto the standby server 103 coincide with those for the failed activeserver 102 or not is judged. In this case, the setting values indicateHost names, IP addresses, license keys and the like. If the formervalues coincide with the latter values respectively, the flow proceedsto Step 1836. Then “Change is unnecessary” is set and the process ends.If the former values do not coincide with the latter values, the flowproceeds to Step 1835. Then “Reset Setting Values” is set and theprocess ends.

At Step 1823, whether the OS delivered to the standby server 103 is thesame as that delivered to the failed active server 102 or not is judged.If they coincide, the flow proceeds to Step 1829. If they do notcoincide, the flow proceeds to Step 1824.

At Step 1829, the cost is evaluated. The cost indicates the time andwork required to reset setting values for an OS and the time to installor set necessary P.P.s. In this embodiment, the time required will beespecially described. As to the time required to reset setting valuesfor an OS and the time to additionally install or set P.P.s, theirvalues are stored in the column 709 in FIG. 7. The necessary costcalculated is compared with “necessary cost to redeliver a whole diskimage” stored in the column 711. In order to achieve a high speedfail-over that is a primary object of the present invention, it isimportant to select a more inexpensive method.

If the additional installation is more inexpensive, the flow proceeds to1830. Then “Additional Installation and Resetting” is set, and theprocess ends. If the additional installation is not more inexpensive,the flow proceeds to 1824.

At Step 1824, whether hardware information of the standby server 103 andthat of the failed active server 102 coincide or not is judged. It isnecessary to compare not only the CPU architectures and the memorycapacities of both servers but also the numbers and types of the I/Odevices of both servers. If both coincide perfectly, the flow proceedsto Step 1831. Then “Redeliver Coincident Disk Image” is set, and theprocess ends. If both do not coincide, the flow proceeds to Step 1825.

At Step 1825, whether the hardware configuration of the standby server102 is within its tolerable range or not is judged.

If it is within the range, the flow proceeds to Step 1832. Then“Redeliver Disk Image that provides the Same Service” is set, and theprocess ends. The difference between the disk image redelivered at Step1831 and that redelivered at Step 1832 is as follows:

-   The disk image that is redelivered with the setting values set at    Step 1831 is the same disk image as is used in the failed active    server 102.-   On the other hand, the disk image that is redelivered with the    setting values set at Step 1832 may be a disk image that can provide    the same service as the failed active server 102 although it has a    different CPU architecture because of its different hardware    configuration, or may be a disk image that can provide the same    service as the failed active server 102 although it has connection    devices with different performances.

FIG. 19 shows the process flow of Delivery Execution Program 313 in FIG.3. This program executes the delivery or the setting, and its executionis instructed by the preceding program. Inputs to this program are dataconcerning the designated redelivery or resetting, and data concerningthe designated server, service or disk image.

At Step 1901, Delivery Execution Program refers to Table concerningSoftware stored in Disk Image 322 (See FIG. 7), and obtains thenecessary values for the delivery and the setting.

At Step 1902, whether the redelivery is necessary or not is judged. Ifthe redelivery is necessary, the flow proceeds to Step 1903 and if theredelivery is not necessary, the flow proceeds to Step 1904.

At Step 1903, the disk image of the designated service is delivered tothe standby server 103, and the flow proceeds to Step 1904.

At Step 1904, whether the resetting is necessary or not is judged. Ifthe resetting is necessary, the flow proceeds to Step 1905 and if theresetting is not necessary, the process ends. At Step 1905, the uniqueinformation is reset. If additional installation of P.P.s is necessary,the unique information is reset after the additional installation isperformed. After this step is completed, the process ends.

FIG. 20 shows the process flow of Test Execution Program 314 in FIG. 3.

A primary object of this program is to check whether unique settingshave proper setting values or to check whether operations are properlyperformed. In this embodiment, the function of this program to checkwhether setting values are correct or not will be described in detail.

At Step 2001, the program obtains the setting values of uniqueinformation for the server and the P.P.s. There are some methods toobtain these values such as one to obtain information by running anagent program on the OS of the server or another to obtain informationusing CIM (Common Information Model) and the like. Any method is allright as long as it can obtain necessary information.

At Step 2002, the program refers to Table concerning Software stored inDisk Image 322 (See FIG. 7).

At Step 2003, the program judges whether the setting values of uniqueinformation for the server and the P.P.s are correct or not aftercomparing the values obtained at Step 2001 with the values referred toat Step 2002. Then the process ends.

As to the process flow of Test Execution Program, it gives input datacorresponding to a service to a server, and makes the server performnormal operations. Then the program examines the process logs and outputresults of the server to judge whether the server can output correctresults after its normal operation.

Test Execution Program is used to evaluate the operation of a standbyserver before the standby server is brought into a service network orafter the delivery or setting to the standby server is completed.Therefore, the situation where the standby server to which fail-overmeasures are taken does not work properly, so that the businesscontinuity is adversely affected can be avoided.

As one of the advantages of the present invention, fail-over measurescan be taken using not only a standby server in cold-standby state butalso using one in hot-standby state. Therefore, a much more high speedfail-over can be realized using a standby server in hot-standby statewhen it is compared with the conventional method where a disk image isdelivered after a failure occurs. The delivery of disk images in advanceand the flexible configuration of standby servers according to thecircumstances realize the above mentioned high speed fail-over.

In addition, in this embodiment described in detail as above, if a diskimage in which unique information is not stored is shared by n servers,the storage capacity necessary to store disk images can be reducednearly n times when it is compared with the situation where one diskimage per server is prepared. In this case, data for the disk image issetting information. The storage capacity for additional settinginformation is required. Because the setting information for n serversneeds a very small capacity (from several bytes to several kilobytes),the sharing of a disk image (from several gigabytes to tens ofgigabytes) has a large beneficial effect even if the storage capacityfor additional setting information is necessary. To be concrete, when ahundred servers that provide the same service are working as so manyactive servers, if one server has a disk image of ten gigabytes withfixed setting values, the storage capacity of a thousand gigabytes (aterabytes) is required. If a disk image is shared by the hundredservers, only the storage capacity of ten gigabytes is required, withthe result that 99% of the storage capacity can be reduced.

In addition, if the shared disk image is delivered in advance to astandby server, many active servers can select the standby server as itsfail-over destination. If a type of setting values are set in advance toa standby server, the standby server can be selected as a fail-overdestination by only one active server when the fixed setting values arenot changed. However, if the setting values for unique information areset or changed when a failure occurs, the standby server can be selectedas a fail-over destination by multiple active servers. For example, itwill be assumed that the setting values for an active server with a highpriority is set to a spare sever in advance. If another server (with thesame service) fails, it will take only several tens of seconds bychanging the setting values of the standby server to take a fail-overmeasures for the failed server, while it will take several tens ofminutes by redelivering an appropriate disk image. If the time requiredto redeliver the disk image is 30 minutes and the time required to resetthe setting values is 60 seconds. Time required by the fail-over isreduced 60 times.

In the case where there are multiple active servers, if the number offailed active servers exceeds the number of standby servers, the activeservers and the services to be saved can be selected according to theirpriorities. In a similar way as above, if there are multiple standbyservers, more appropriate standby server should be selected. If there isa standby server that has the same disk image included in the failedactive server, this server should be selected.

In a special case where there are multiple standby servers that meet theabove condition, a standby server to be used should be selectedaccording to Table concerning Service Priority where parameters showingthe priorities of services are listed. Designating tolerable ranges asto the performances of standby servers can prevent a standby server witha needlessly higher performance from being required. Consequently, evenif an active server that needs a higher performance fails, there is ahigher possibility that the standby servers with that performance areavailable. In addition, because the redelivery necessary to give over ahigh performance standby server can be prevented, the occurrence of asituation where other servers are stopped and the redelivery isperformed can be effectively avoided. In addition, the situation ofstandby servers can be reflected on the priority to select standbyservers. For example, the running policy of “No continuous running” canbe adopted based on the operational records of servers. In contrast withthis, the running policy of “Running specific servers in a focused way”can be also adopted under the assumption that “a server that runscontinuously is reliable”. In addition, according to the running policyof “No running both of adjacent standby servers as much as possible,that is, running the farthest server”, it becomes possible that heatproduced by servers is dispersed or that servers are run up to the limitof their power supplies by preventing power from being consumed locally.After evaluating the priorities of two servers, if they are the same,either server can be selected. For example, selecting the server with asmaller serial number is one of the selection methods. As mentionedabove, some control methods where attention is paid to the location ofservers, power consumed by servers and heat produced by servers is alsoavailable.

IF there are no servers that satisfy the above conditions, the conditionsatisfied by any of the servers is searched for. For example, after thecosts of all the servers are calculated, the server with the lowest costis extracted. In other words, the standby server that is the mostinexpensive to prepare is selected, while whether the redelivery isnecessary or not is judged. In some cases, the fail-over measures isinterrupted, and the management server performs the user notificationprocess by informing users of the impossibility of taking fail-overmeasures and recording data on the logs.

The Second Embodiment of the Present Invention

FIG. 21 is a schematic block diagram showing a system of the secondembodiment of the present invention. The difference between the firstembodiment and the second embodiment is that the storage device of thesecond embodiment is a storage subsystem 2106 attached to a SAN insteadof integrated hard disks. The storage subsystem 2106 is connected toservers (2101, 2102, and 2103) via a NW-SW 2105. Storage SubsystemManagement Mechanism 2121 that controls the storage subsystem and amanagement server 2101 are also connected via a NW-SW 2104.

The management server 2101 connects to active servers 2102 and standbyservers 2103 via the NW-SW 2104. The active servers 2102 provide serviceservices and when one of the active servers 2102 breaks down, one of thestandby servers 2103 will provide the service services instead of thefailed active server. The management server 2101 keeps an eye on theactive servers 2102 and the standby servers 2103. A primary object ofthis embodiment is to provide a system, wherein a failure notificationissued by any one of the active servers 2102 is monitored and when oneof the active servers 2102 breaks down, one of the standby servers 2103will provide the service services instead of the failed active server,with the result that the continuity of business can be enhanced.

Boot disks to boot the active servers 2102 and standby servers 2103 areLUs (Logical Units) 2122 in the storage subsystem 2106, and OSs,middleware and applications to provide services are installed on the LUs2122. The management server 2101 is connected to the storage subsystem2106, and disk images 2141 where software necessary to provide serviceservices is installed are stored in the LUs 2132. Especially, anaggregation of the LUs 2132 where the disk images 2141 are stored istermed LU Group 2131.

Just like those of the preceding embodiment, the contents of the diskimages 2141 are the disk images of the individual active serversnecessary to provide the service services, disk images with the uniqueinformation (setting values) about the individual active serversremoved, or disk images where only the pieces of software used commonlyby the active servers are installed, and the like. When a failure occursat any of the active servers 2102, a disk image 2141 that provides asimilar service as the failed active server 2102 does is delivered toone of the standby servers 2103, with the result that the continuity ofthe service can be achieved. As to the disk image delivered, if the diskimage 2141 that has the completely same disk image of the failed server2102 is delivered, the continuity of the service can be achieved only bythe delivery. In this case, however, the same number of the disk images2141 as the number of the active servers must be prepared, with theresult that an enormous amount of storage is needed.

Compared with the above approach, if the disk images with the uniqueinformation about the individual active servers removed are used, thedisk images 2141 with the same service services can be commonly usedalthough the setting the unique information about the individual activeservers must be performed after delivery. Hence, the storage capacitynecessary to store the disk images 2141 can be reduced. In addition, ifthe disk images 2141 where only the pieces of software used commonly bythe active servers are installed are used, the disk images 2141 can beshared throughout the server system. In this case, because the necessarypieces of software must be installed and the unique information for OSand each piece of software must be set after delivery, the highest speedof the fail-over cannot be expected. However, this approach is much moreadvantageous in terms of workload and labor time than approaches whereinstallation must be performed on a server which has nothing installed.Especially in this embodiment, because the time needed to complete afail-over can be reduced by delivering disk images in advance to thestandby servers 2103, reinstallation should be avoided as much aspossible. By delivering the disk images 2141, where only the pieces ofsoftware used commonly are installed, in advance on the standby servers,reinstallation can be avoided and a fail-over can be realized morespeedy.

Control Program Group 110 includes a group of programs that realize theabove mentioned high speed fail-over. In addition, Management TableGroup 111 stores information tables concerning the active servers 2102and the standby servers 2103, information tables concerning the diskimages 2141, and information table concerning service services. Here,because the way to deliver disk images is not specified, the disk imagescan be delivered via an IP network, via a storage network, or they canbe delivered with the use of the disk copy function between the LUs inthe storage subsystem 2106. In addition, the case where the managementserver 2101 has integrated disks and stores the disk images 2141 on theintegrated disks can be considered as one of the variations of thisembodiment. Therefore, there are some cases where the management server2101 and the storage subsystem 2106 are not connected to each other viathe NW-SW 2105, and further there are cases where integrated disks and astorage subsystem attached to a SAN coexist.

FIG. 22 is a diagram showing an example of the configuration of themanagement server 2101 in this embodiment. The management server 2101includes a CPU 2201 that carries out calculation, a memory 2202 thatstores programs and processes used in the CPU 2201, a NIC 2203 that isused for the communication through the IP network, an HBA 2204 that isused for communication with the storage subsystem 2106, and the LUs 2122(, which exist in the storage subsystem 2106 and are connected to themanagement server 2101 via the NW-SW 2105 and the HBA,) that are storageareas to store programs and data. Just like the configuration shown inFIG. 3, Control Program Group 110 and Management Table Group 111 arestored in the memory 2202.

In a similar way to the preceding embodiment, Control Program Group 110(See FIG. 15) includes Failure Notification Receiving Program 310 (SeeFIG. 16), Network Setting Changing Program 311 (See FIG. 17), DeliveryInstruction Program 312 (See FIG. 18), Delivery Execution Program 313(See FIG. 19), and Test Execution Program 314 (See FIG. 20).

In a similar way to the preceding embodiment, Management Table Group 111includes Management Table of Server Hardware Information 321 (See FIG.6), Table concerning Software stored in Disk Image 322 (See FIG. 7),Information Table concerning Hardware included by Disk Image 323 (SeeFIG. 8), Management Table of Service Provision Server 324 (See FIG. 9,FIG. 10, and FIG. 11), Table concerning Services and Network 325 (SeeFIG. 12), Table concerning Service Priority 326 (See FIG. 13), SecuritySetting Table of Storage Subsystem 327 (See FIG. 24), FailureNotification Management Table 328 (FIG. 14), and the like.

Failure notifications received by the management server 2101 areperformed by a monitoring mechanism that is built using hardware andsoftware possessed by the active server 2102, that is, the target serverfor monitoring and the standby server 2103. In addition, it is to beunderstood that the case where the management server 2101 has integrateddisks and the disk images 2141 are stored on the integrated disks arealso covered by this embodiment. Therefore, there are some cases wherethe management server 2101 and the storage subsystem 2106 are notconnected to each other via the NW-SW 2105, and further there are caseswhere integrated disks and a storage subsystem attached to a SANcoexist.

FIG. 23 illustrates the configuration of the active server 2102 (or thestandby server 2103). The active server 2102 (or the standby server2103) includes a CPU 2301 that carries out calculation, a memory 2302that stores programs and processes used by the CPU 2301, a NIC 2303 thatis used for the communication through the IP network, a BMC 2304 that isused for the management server 2101 to control power supply and an HBA2305 used for communication with the storage subsystem. The power to theactive server 2102 (or the standby server 2103) can be turned on or offthrough the BMC 2304.

The active server 2102 and the standby server 2103 are connected to themanagement server 2101 via the NW-SW 2104. Monitoring programs (notshown) running on the active server 2102 and on the standby server 2103communicate with the management server 2101 through the NIC 2303, andinform the management server 2101 of failures. The settings, loads,failures and the like of the active server 2102 and the standby server2103 can be monitored by the above mentioned monitoring programs. Theremay be often the case where the NIC 2303 is used only for management, soit is common that another NIC is installed for the service services. Inaddition, the BMC 2304 also connects the active server 2102 and thestandby server 2103 to the management server 2101 through the network.Therefore the management server 2101 can be informed of hardwarefailures and it can also turn on or off the power to the active server2102 and the standby server 2103 forcibly through hardware means.

FIG. 24 illustrates Security Setting Table of Storage Subsystem 327 indetail.

The column 2401 stores host group names. The column 2402 stores WWNs.The column 2403 stores logical LU names. The column 2404 stores physicalLU names corresponding to logical LU names in the column 2403. Thecolumn 2405 stores port numbers of the storage subsystem 2106.

Access by a WWN registered in a host group is allowed only to the LUsregistered in the same group. In other words, an LU cannot be accessedby a specific server.

FIG. 25 illustrates the behavior of a security function 2520 thatdecides the correspondent relations between the LUs 2122 and themanagement server 2101, the active servers 2102, or the standby servers2103. A server 1 (2501) possesses an HBA1 (2502), in which WWWN1 (2503)is recorded. A server 2 (2511) possesses an HBA2 (2512), in which WWWN2(2513) is recorded. The server 1 (2501) and the server 2 (2511) areconnected to the NW-SW (network switch) 2105, and they are connected tothe storage subsystem 2106 via the NW-SW 2105.

The security function 2520 allows the server 1 (2501) to access avirtual disk LU0 (2531) and LU1 (2532) which correspond to a physicaldisk LU10 (2533) and LU11 (2534) respectively. On the other hand, theserver 2 (2511) can access a virtual disk LU0 (2541) and LU1 (2542)which correspond to a physical disk LU21 (2543) and LU22 (2544)respectively. The server 1 (2501) can access neither the physical diskLU21 (2543) nor LU22 (2544).

The Third Embodiment of the Present Invention

FIG. 26 is a schematic block diagram showing a system of the thirdembodiment of the present invention. The difference between the firstembodiment and the third embodiment is that the active servers and thestandby servers of the third embodiment are virtual servers 2632 thatutilize virtualization features 2631 and that I/O allocation programs2641 in the virtualization features 2631 can store differences on an LU2652 in a storage subsystem 2605. Owing to the above mentionedconfiguration of this embodiment, it becomes possible that when one ofthe active servers fails, a standby server can take over the service ofthe failed active server with the use of the latest data.

A management server 2601 is connected to a storage subsystem managementmechanism 2651 that manages the storage subsystem 2605 via a NW-SW 2604and also it is connected to servers 2603 via a NW-SW 2604.

The servers 2603 include CPUs 2621 that carry out calculation, memories2622 that store programs and processes used by the CPUs 2621, NICs 2625that are used for the communication through an IP network, HBAs 2626used for communication with the storage subsystem, BMCs 2624 that areused for the management server 2601 to control power supply, and the LUs2652 (, which exist in the storage subsystem 2605 and are connected tothe server 2603 via a NW-SW 2602 and the HBA 2626,) that are storageareas to store programs and data. In addition, storage devices 2623 areattached to the servers as storage areas.

The virtualization features 2631 are working on the memories 2622 torealize server virtualization with the use of which the resources of theservers 2603 (the CPUs, the memories, I/O devices and the like) areshared. The virtualization features 2631 divide the resources of theservers and allocate the divided resources to the virtual servers 2632individually. I/O allocation programs 2641 in the virtualizationfeatures 2631 divide I/O requests from the virtual servers 2632 andwrite the divided I/O requests into disks for booting the virtualservers 2632 and into difference data disks used to record differencesgenerated after the virtual servers are booted. The disks for bootingthe virtual servers can be stored in the storage devices 2623 or can bestored in the LUs 2652 in the storage subsystem 2605. On the other hand,the difference data disks must be stored in the LUs 2652 in the storagesubsystem 2605, so that servers other than the servers 2603 and thevirtual servers 2632 as well as the servers 2603 can access thedifference data disks. In other words, the difference data disks must beshared. Consequently, even when one of the servers 2603 or the virtualservers 2632 fails and fail-over measures to deliver a disk image istaken, it becomes possible to take over the service of the failed serverwith the use of the latest data. FIG. 26 shows an example of theembodiment of the present invention where integrated disks and a storagesubsystem attached to a SAN coexist.

FIG. 27 shows one of variations of the third embodiment where there areno storage devices corresponding to the storage disks 2623 shown in FIG.26 and the disks for booting the virtual servers are stored in LUs 2753in a storage subsystem 2705. Other parts of FIG. 26 are similar to thoseof FIG. 27. The component 270* in FIG. 27 is corresponding to thecomponent 260* in FIG. 26. In this case, the disks for booting thevirtual servers can be taken over when failures occur. However, if an OSor any piece of software fails, an appropriate disk image must be sentto the corresponding disk for booting the virtual servers in order torecover them.

FIG. 28 illustrates the configuration of one of the virtual servers 2632shown in FIG. 26 in detail. The virtual server 2632 includes a virtualCPU 2801 that carries out calculation, a virtual memory 2802 that storesprograms and processes used in the CPU 2801, a virtual NIC 2803 that isused for the communication through the IP network, a virtual BMC 2804that is used for the management server 2601 to control power supply, anda virtual storage device 2805.

FIG. 29 illustrates the configuration of one of the virtual servers 2732shown in FIG. 27 in detail. The difference from FIG. 28 is that there isa connection device used for the virtual server to connect to storagesin FIG. 29. In FIG. 29, there is a virtual HBA 2905 used for the virtualserver to connect to the storage subsystem 2705 instead of the virtualstorage device 2805 in FIG. 28.

The virtual server 2732 includes a virtual CPU 2901 that carries outcalculation, a virtual memory 2902 that stores programs and processesused in the CPU 2901, a virtual NIC 2903 that is used for thecommunication through the IP network, a virtual HBA 2995 that is usedfor communication with the storage subsystem, and a virtual BMC 2904that is used for the management server 2601 to control power supply.

FIG. 30 illustrates Difference Data Management Table used in thisembodiment in detail.

The column 3001 stores server identifiers. The column 3002 storesvirtual server identifiers.

The column 3003 stores original volume names. The original volumes maybe disks for booting OSs or may be disks for storing data. Whether anoriginal volume is a disk for booting an OS or a disk for storing datacan be judged by the corresponding type stored in the column 3005.

The column 3004 stores difference volume names. In the configuration ofthis embodiment, when fail-over measures are taken against a failure, itis possible to restart the service with the use of the latest data bytaking over this difference volume of the failed server.

FIG. 31 illustrates License Management Table 330 shown in FIG. 3 indetail.

The column 3101 stores license product names. The column 3102 stores theremaining numbers of licenses.

There are many license agreements where it is impossible to deliver diskimages that include the pieces of software with the remaining numbers oftheir licenses 0 to standby servers in advance. By managing theremaining numbers of licenses, the situation where there are disk imagesthat include the pieces of software with the remaining numbers of theirlicenses 0 can be known. Therefore, when such a situation occurs, thepriorities (the column 1303) in Table concerning Service Priority 326must be updated.

Although the present invention has been described in detail based on itsvarious embodiments, it is to be understood that the case where theconnection method to attach a storage subsystem to a SAN is an iSCSI isalso applicable to the present invention.

1. A server switching method for a server system that includes activeservers, at least one standby server and a management server that areequipped with storage devices and process modules respectively and thatare all connected through a network, the method comprising: themanagement server: delivering a disk image of an appropriate activeserver to the standby server in advance; holding service provisionmanagement server information in a storage device of its own; whenreceiving the report that the active server has failed, judging whetheror not it is possible for the standby server to perform the service ofthe failed active server based on the service provision managementserver information held in the storage device; and instructing thestandby server to perform the service of the active server, if possible,wherein: the management server judges whether or not it is possible forthe standby server to perform the service of the failed active serverbased on disk image names that are included in the service provisionmanagement server information, the management server holds softwaremanagement information possessed by the disk image in the storage deviceof its own, and judges whether or not the disk image stored in advancein the storage device of the standby server lacks any pieces of softwarebased on both the service provision management server information andthe software management information, and if the disk image stored inadvance in the storage device of the standby server lacks some pieces ofsoftware, the management server: compares the time needed to install thelacking pieces of software with the time needed to deliver the diskimage; installs the lacking pieces of software on the standby server andchanges the setting values of the software if the time needed to installthe lacking pieces of software on the standby server is shorter; anddelivers the disk image to the standby server if the time needed todeliver the disk image to the standby server is shorter.
 2. A serverswitching method for a server system that includes active servers, atleast one standby server and a management server that are equipped withstorage devices and process modules respectively and that are allconnected through a network, the method comprising: the managementserver: delivering a disk image of an appropriate active server to thestandby server in advance; holding service provision management serverinformation in a storage device of its own; when receiving the reportthat the active server has failed, judging whether or not it is possiblefor the standby server to perform the service of the failed activeserver based on the service provision management server information heldin the storage device; and instructing the standby server to perform theservice of the active server, if possible, wherein: if the managementserver judges the standby server to be incapable of performing theservice of the failed active server, the management server sends, to thestandby server, a disk image with the use of which the standby servercan perform the service of the active server, and the management server:holds hardware management information in the storage device of its own;judges whether the type of the process module of the active server andthat of the standby server coincide or not based on the hardwaremanagement information when the management server sends the disk imageto the standby server; and if they do not coincide, delivers a diskimage that is fit to the type of the process module of the standbyserver.
 3. A server system comprising: an active server; at least onestandby server; and a management server that are connected through anetwork to the active server and the standby server, wherein: the activeserver, the standby server, and the management server are equipped withprocess modules and storage devices respectively, the process module ofthe management server stores the disk image of the active server inadvance in the storage device of the standby server and holds serviceprovision management server information in the storage device of themanagement server, when the management server receives the report thatthe active server has failed, the process module of the managementserver judges whether or not it is possible for the standby server toperform the service of the failed active server based on the serviceprovision management server information, the process module instructsthe standby server to perform the service of the active server, ifpossible, the process module of the management server judges whether ornot it is possible for the standby server to perform the service of thefailed active server based on disk image names that are included in theservice provision management server information, the management serverholds software management information possessed by the disk image in thestorage device of its own, the process module of the management serverjudges whether the disk image stored in advance in the storage device ofthe standby server lacks some pieces of software or not based on boththe service provision management server information and the softwaremanagement information and if the disk image stored in advance in thestorage device lacks any pieces of software, and the process module:compares the time needed to install the lacking pieces of software withthe time to deliver another disk image; installs the lacking pieces ofsoftware on the standby server and changes the setting values of thesoftware if the time needed to install the lacking pieces of software onthe standby server is shorter; and delivers the disk image to thestandby server if the time to deliver the disk image to the standbyserver is shorter.